Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

0ADLfPX6HX.elf

ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

initial sample

Details

Filetype:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy:	5.492160291266384
Filename:	0ADLfPX6HX.elf
Filesize:	98356
MD5:	e5bd5c63bcfbb666d90ce48b9baf2b20
SHA1:	282c42c97e0efd2857d75d8a9178de0d18577462
SHA256:	053cdf9b979fbd6a898e2227bb11dbd103df5e4b0bee9db737fa4426439c739e
SHA512:	dc083b93b435312a002c4666c885f0f5a6683c8428e533d13a77ee377f6f7175333c1df1a524c814c80a41d263f1f223808f97cca1310bb97c611b4b6312b5b4
SSDEEP:	1536:F7EnxX/ZpiIvAuZrOVIpUEW5iIO24eFyZNI4oSi8Q5:KnxX//iw6EWAIO2ok43o
Preview:	.ELF.....................@.`...4..~......4. ...(.............@...@....s...s...............s..Es..Es.......,.........dt.Q............................<...'......!'.......................<...'......!... ....'9... ......................<...'..h...!........'9V

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Sample deletes itself	Hooking and other Techniques for Hiding and Protection	File Deletion
Enumerates processes within the "proc" file system	Persistence and Installation Behavior	OS Credential Dumping
Found strings indicative of a multi-platform dropper	Spreading	Scripting
Sample tries to kill a process (SIGKILL)	System Summary
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery

/tmp/qemu-open.5ajnH3 (deleted)

data

dropped

Details

File:	/tmp/qemu-open.5ajnH3 (deleted)
Category:	dropped
Dump:	qemu-open.5ajnH3 (deleted).12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/0ADLfPX6HX.elf
Type:	data
Entropy:	4.415061012203069
Encrypted:	false
Ssdeep:	3:TgVodTziiHJN:TgVod9JN
Size:	30
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

/tmp/0ADLfPX6HX.elf

/usr/libexec/gnome-session-binary

/bin/sh

/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

/usr/libexec/gsd-rfkill

/usr/lib/systemd/systemd

/lib/systemd/systemd-hostnamed

Domains

Name

Malicious

cnc.voidnet.click

94.156.79.77

Details

Name:	cnc.voidnet.click
IP:	94.156.79.77
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

94.156.79.77

cnc.voidnet.click

Bulgaria

Details

IP:	94.156.79.77
TargetID:	-1
Country:	Bulgaria
Countrycode:	BGR
ASN number:	43561
ASN name:	NET1-ASBG
Private:	false
Domain:	cnc.voidnet.click

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

89.190.156.145

unknown

United Kingdom

Details

IP:	89.190.156.145
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	7489
ASN name:	HOSTUS-GLOBAL-ASHostUSHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

109.202.202.202

unknown

Switzerland

Details

IP:	109.202.202.202
TargetID:	-1
Country:	Switzerland
Countrycode:	CHE
ASN number:	13030
ASN name:	INIT7CH
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.43

unknown

United Kingdom

Details

IP:	91.189.91.43
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

91.189.91.42

unknown

United Kingdom

Details

IP:	91.189.91.42
TargetID:	-1
Country:	United Kingdom
Countrycode:	GBR
ASN number:	41231
ASN name:	CANONICAL-ASGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f6323de9000

page read and write

7f6324ab5000

page read and write

7f6324abd000

page read and write

7f631c000000

page read and write

7f629c45b000

page read and write

7f63247ab000

page read and write

7ffe4450b000

page read and write

7f632445d000

page read and write

561ad8175000

page execute and read and write

7f6323ddb000

page read and write

7f632447a000

page read and write

561ad5ee5000

page execute read

561ad616d000

page read and write

7ffe445b2000

page execute read

7f632443a000

page read and write

561ad6177000

page read and write

7f6324099000

page read and write

7f632498c000

page read and write

561ad8527000

page read and write

7f629c418000

page execute read

561ad818c000

page read and write

7f629c458000

page read and write

7f631c021000

page read and write

7f6324b02000

page read and write

7f63235d3000

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0ADLfPX6HX.elf

Files

Processes

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0ADLfPX6HX.elf

Files

Processes

Domains

IPs

Memdumps

IOC Report
0ADLfPX6HX.elf